Hackers’ $81 Million Sneak Attack on World Banking
Michael Corkery
“The trend is moving from opportunistic crime to Hollywood-scale attacks,” said Mr. Nish, whose firm has analyzed the malware believed to have been used in the Bangladesh breach.
In
the United States, most banks take special precautions with their Swift
computers, building multiple firewalls to isolate the system from the
bank’s other networks and keeping the machines physically isolated in a
separate locked room.
But
elsewhere, some banks take far fewer precautions. And security experts
who have analyzed the Swift breach said they had concluded that the
Bangladesh bank may have been particularly vulnerable to an attack.
“Swift is a great organization,” said Chris Larsen, the founder of Ripple, a financial technology company that aims to speed up global money transmissions. “But the system is fractured and antiquated. The way it is set up, you cannot totally isolate problems in a place like Bangladesh from the whole network.”
In some ways, Swift is a testament to how technology has helped all countries — including poorer ones — gain access to the financial system. But that broader access has a downside.
The
central bank in Bangladesh, by some accounts, employed fewer
protections against cyberattacks than many other large banks. The bank,
for example, used $10 routers and no firewalls, according to news
reports.
The
server software that the Bangladesh bank employed was a Swift product
called Alliance Access, which connects banks to the central messaging
system. In a sign of how seriously Swift regards the breach of Alliance
Access, the group issued a “mandatory software update” last week to help
its members identify possible irregularities.
“These
hackers figured out this was a weak point on the periphery, and they
went for it,” said Jeffrey Kutler, editor in chief at the Global Association of Risk Professionals, a trade group. “But they were not able to compromise the core.”
Swift’s core is built on technology that has been evolving for decades. What began in 1973 as a relatively small network of 240 banks in Europe and North America is now a sprawling network of 11,000 users that includes both banks and large corporations. At first, Swift could be used to authorize payments across national borders. But it is now also used to transmit messages related to domestic payments, securities settlements and other transactions.
Swift’s
growth in recent years — it set a record for messages in March —
reflects the increasingly global and interconnected nature of finance.
But it also shows the risk of so many financial instructions running
through a single system made up of a patchwork of banks and
companies with varying levels of online protection.
companies with varying levels of online protection.
Each
bank on the Swift network is identified by a set of codes. And it was
the codes assigned to the Bank of Bangladesh that were recognized —
correctly — by the Federal Reserve Bank of New York when it transferred
$81 million of the Bangladesh bank’s money to the Philippines, not
knowing that someone, somewhere, had stolen the credentials of the
Bangladesh bank and installed malware to cover his or her tracks.
Initially,
the thieves requested the transfer of $951 million into a handful of
bank accounts in Sri Lanka and the Philippines — a number that prompted
the New York Fed to ask the Bangladesh bank to reconfirm that it indeed
wanted to move the money.
In
the end, the Fed processed only five of the 35 fraudulent payment
requests, after it could not reconfirm with officials in Bangladesh.
The
hackers seemed to time the attack perfectly: When officials from the
Fed tried to reach out to Bangladesh, it was a weekend there and no one
was working. By the time central bankers in Bangladesh discovered the
fraud, it was the weekend in New York and the Fed offices were closed.
To conceal the crime, the malware disabled a printer in the Bangladesh bank to prevent officials from reviewing a log of the fraudulent transfers.
The
money was transferred to accounts in the Philippines and then into the
Philippine casino system, which is exempt from many of the country’s
anti-money-laundering requirements.
The
New York Fed has been criticized for letting the $81 million slip out.
Representative Carolyn B. Maloney, a New York Democrat and member of the
Financial Services Committee, has called for an investigation, warning
that the breach “threatens to undermine the confidence that foreign
central banks have in the Federal Reserve, and in the safety and
soundness of international monetary transactions.”
The
New York Fed said in a statement that “there is no evidence that any
Fed systems were compromised” and that the transfer of the money had
been “fully authenticated” by Swift.
Swift,
which prides itself on its secrecy and low public profile, also put out
a statement about the attacks. But its executives declined to speak on
the record about the episodes, which are still under investigation. The
group’s chairman, Yawar Shah, who is a senior executive at Citigroup,
also declined to comment.
In
its statement, Swift emphasized that the hackers had been able to
breach only some of the banks that communicate over Swift, not the
network itself.
“The
commonality in what we have seen is that (internal or external)
attackers have successfully compromised banks’ own environments,” Swift
said.
Even
if officials at the Bangladesh bank had employed the highest of
security measures, the thieves displayed a level of skill, cunning and
determination that may have been able to penetrate a far more secure
system.
“If
you have an attacker who really wants to get in and knows there is a
big prize,” Mr. Nish said, “keeping them out over the long term is
really difficult.”
Source: http://www.nytimes.com/2016/05/01/business/dealbook/hackers-81-million-sneak-attack-on-world-banking.html?_r=0
Source: http://www.nytimes.com/2016/05/01/business/dealbook/hackers-81-million-sneak-attack-on-world-banking.html?_r=0